Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GitHub Activites from a New Country

GitHub Activites from a New Country

Back
Idf041e01d-840d-43da-95c8-4188f6cef546
RulenameGitHub Activites from a New Country
DescriptionDetect activities from a location that was not recently or was never visited by the user or by any user in your organization.
SeverityMedium
TacticsInitialAccess
TechniquesT1078
KindScheduled
Query frequency1d
Query period7d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/(Preview) GitHub - Activities from Infrequent Country.yaml
Version1.0.1
Arm templatef041e01d-840d-43da-95c8-4188f6cef546.json
Deploy To Azure
let LearningPeriod = 7d;
let RunTime = 1h;
let StartTime = 1h;
let EndRunTime = StartTime - RunTime;
let EndLearningTime = StartTime + LearningPeriod;
let GitHubCountryCodeLogs = (GitHubAuditData
| where Country != "");
  GitHubCountryCodeLogs
| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))
| summarize makeset(Country) by Actor
| join kind=innerunique (
  GitHubCountryCodeLogs
  | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))
  | distinct Country, Actor, TimeGenerated
) on Actor 
| where set_Country !contains Country
| extend timestamp = TimeGenerated
| extend AccountName = tostring(split(Actor, "@")[0]), AccountUPNSuffix = tostring(split(Actor, "@")[1])

relevantTechniques:
- T1078
name: GitHub Activites from a New Country
requiredDataConnectors: []
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: Actor
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
  entityType: Account
triggerThreshold: 0
id: f041e01d-840d-43da-95c8-4188f6cef546
tactics:
- InitialAccess
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/(Preview) GitHub - Activities from Infrequent Country.yaml
queryPeriod: 7d
kind: Scheduled
queryFrequency: 1d
severity: Medium
status: Available
description: |
    'Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.'
query: |
  let LearningPeriod = 7d;
  let RunTime = 1h;
  let StartTime = 1h;
  let EndRunTime = StartTime - RunTime;
  let EndLearningTime = StartTime + LearningPeriod;
  let GitHubCountryCodeLogs = (GitHubAuditData
  | where Country != "");
    GitHubCountryCodeLogs
  | where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))
  | summarize makeset(Country) by Actor
  | join kind=innerunique (
    GitHubCountryCodeLogs
    | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))
    | distinct Country, Actor, TimeGenerated
  ) on Actor 
  | where set_Country !contains Country
  | extend timestamp = TimeGenerated
  | extend AccountName = tostring(split(Actor, "@")[0]), AccountUPNSuffix = tostring(split(Actor, "@")[1])  
triggerOperator: gt

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f041e01d-840d-43da-95c8-4188f6cef546')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f041e01d-840d-43da-95c8-4188f6cef546')]",
      "properties": {
        "alertRuleTemplateName": "f041e01d-840d-43da-95c8-4188f6cef546",
        "customDetails": null,
        "description": "'Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.'\n",
        "displayName": "GitHub Activites from a New Country",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Actor",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/(Preview) GitHub - Activities from Infrequent Country.yaml",
        "query": "let LearningPeriod = 7d;\nlet RunTime = 1h;\nlet StartTime = 1h;\nlet EndRunTime = StartTime - RunTime;\nlet EndLearningTime = StartTime + LearningPeriod;\nlet GitHubCountryCodeLogs = (GitHubAuditData\n| where Country != \"\");\n  GitHubCountryCodeLogs\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\n| summarize makeset(Country) by Actor\n| join kind=innerunique (\n  GitHubCountryCodeLogs\n  | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\n  | distinct Country, Actor, TimeGenerated\n) on Actor \n| where set_Country !contains Country\n| extend timestamp = TimeGenerated\n| extend AccountName = tostring(split(Actor, \"@\")[0]), AccountUPNSuffix = tostring(split(Actor, \"@\")[1])\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P7D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}